WordPress Security – The Vulnerabilities And How To Make Your Site More Secure

WordPress is the most popular content management system (CMS) on the Web. The flexibility of the system has lead to this popularity, and it now powers over 26% of web sites. Unfortunately few website owners consider the security of their WordPress sites, and hacking these sites is on the rise.

Where Are The Vulnerabilities?

The most common source of vulnerabilities comes from WordPress plugins at around 52% and this is followed by 37% in WordPress core accounts. Themes are the next biggest culprits accounting for around 11% of the vulnerabilities. This data is provided by WP Scan and Wordfence.

WP Scan claim that 39% of the vulnerabilities in WordPress are the result of cross site scripting (XSS) but there are others too such as SQLI, uploading, CSRF and LFI. Older versions of WordPress are more vulnerable with versions 3.7.1 and 3.8.1 experiencing the most problems.

How To Protect Your WordPress Installation

With the number of vulnerabilities in the system you need to do everything that you can to protect your site. The following security practices are highly recommended:

Make Sure That All Plugins Are Up To Date

With plugins being the biggest security vulnerability offenders, it makes sense to keep them all up to date. The developers of the plugins will patch them regularly to prevent security breaches, and it will be easy for hackers to get into your site if older versions leave a back door.

Try to use trusted plugins as much as possible, and only use those that are displayed in the WordPress repository. If you are interested in a premium plugin then ask questions about security testing before you buy.

Update Your Version Of WordPress

Protect your core WordPress account by ensuring that your current version is up to date. An automatic update facility was added at version 3.7, which means that the updates are very easy to implement from the dashboard.

Always make a back up of your site that can be automatically scheduled. If you do suffer an attack then you will be able to roll back easily and quickly restore your site. Get into the habit of making backups before you upgrade WordPress or install new plugins or themes.

Be Smart With Usernames And Passwords

A lot of people use “Admin” as their username for WordPress and this must be avoided. Choose something else and provide a password that is complex. This is one of the easiest ways to improve the security of your site.

There are a number of malicious bots that are crawling the Internet continuously, and they will attempt to spoof your login details. It is estimated that 8% of WordPress sites are hacked because they have weak log in details. Don’t be part of this statistic.

Two Step Authentication Will Make It Even More Secure

Most WordPress owners are unaware that it is possible to enable a two step authentication process. There is a Google Authenticator plugin which offers an unlimited amount of users and is free.

Once the plugin has been installed you can enter a user account and setup the two step authentication process. This will involve the creation of a secret key and then marking the user account as active.

Use WordPress Security Plugins

There are a number of robust security plugins that you can use to lock down your site and prevent attacks. One of the most popular is Wordfence. What these plugins do is scan your installation for vulnerabilities, block malicious networks, enforce the use of strong passwords, provide a firewall that will block the most common security threats, keep a track on DNS changes and so much more.

Watch Your wp-config.php

If an intruder wants to know all about your WordPress installation all they need to do is access your wp-config.php file. They will be able to see the name of your database and other essential details.

Once your installation is set up, the easiest thing you can do is to move the contents of your wp-config.php file to a file in another directory that is not publically accessible. You will have to then add a PHP include statement into the main wp-config.php file to provide access to the information in the new file.

You can also modify your .htaccess file to add a deny statement for the wp-config.php file.

Make Sure You Disable XML-RPC

Brute force attacks that exploit the XML-RPC function are common in WordPress installations. It is unlikely that you will ever use this function, so be sure to disable it when you setup your site. You can also install a plugin to disable the function.

Secure Your WordPress Database

When you use a default WordPress installation you will find that the database is always prefixed with wp_, so it is a good idea to change this to something more complex so that it is less easy to find by hackers. If you are using software to install WordPress it is normally possible to change the default table prefix so make sure that you do that.

Watch Your File Permissions

If your file permissions are loose then you are almost inviting hackers to come in and trash your site. When considering file permissions you will need to take into account that the core of WordPress and some plugins will need to write to certain directories so don’t lock it down too tightly.

Here is what you should look out for:

The root directory files should only be writable by your user account with the exception of .htaccess.

/wp-admin/ files should only be writable by your user account

/wp-includes/ files should only be writable by your user account

/wp-content/ the files in this folder are usually supplied by the user and should only be writable by the web server process and by your user account

/wp-content/themes/ you have a choice here. If you want to use the theme editor then all files need to be writable by the web server process. If you don’t want to use the editor then set the files only to be writable by your user account

/wp-content/plugins/ files should only be writable by your user account


This is just a selection of the easiest security measures that you can take for your WordPress installation. These measures will improve your security a great deal, and they will only take a small amount of time to implement. Don’t take any chances with your site. Implement these security measures today.



error: Content is protected !!